From owner-freebsd-security@FreeBSD.ORG Mon Sep 29 00:05:44 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4F94416A4B3 for ; Mon, 29 Sep 2003 00:05:44 -0700 (PDT) Received: from gateway.nixsys.be (gateway.nixsys.be [195.144.77.33]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5112643FB1 for ; Mon, 29 Sep 2003 00:05:43 -0700 (PDT) (envelope-from philip@nixsys.be) Received: from hermes.nixsys.be (hermes.nixsys.be [195.144.77.45]) by gateway.nixsys.be (Postfix) with ESMTP id A345EC145 for ; Mon, 29 Sep 2003 09:05:42 +0200 (CEST) Received: by hermes.nixsys.be (Postfix, from userid 1001) id 3622356; Mon, 29 Sep 2003 09:05:42 +0200 (CEST) Date: Mon, 29 Sep 2003 09:05:42 +0200 From: Philip Paeps To: security@freebsd.org Message-ID: <20030929070542.GE760@hermes.nixsys.be> Mail-Followup-To: security@freebsd.org References: <20030928235939.GH629@hermes.home.paeps.cx> <20030929022753.GC334@silverwraith.com> <20030929062920.GB760@hermes.nixsys.be> <3F77D2A8.10409@sitetronics.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <3F77D2A8.10409@sitetronics.com> X-Date-in-Rome: ante diem III Kalendas Octobres MMDCCLVI ab Urbe Condida X-PGP-Fingerprint: FA74 3C27 91A6 79D5 F6D3 FC53 BF4B D0E6 049D B879 X-Message-Flag: Get a proper mailclient! Mutt: User-Agent: Mutt/1.5.4i Subject: Re: Apache under attack and eating resources? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 29 Sep 2003 07:05:44 -0000 On 2003-09-29 08:35:20 (+0200), Devon H. O'Dell wrote: > > I forgot to mention I was running mod_php4 from the ports. I don't think > > any scripts changed in the last few weeks, but I'll have a look into it. > > Any idea what kind of script bugs could cause PHP to tear things down like > > this, other than the classic loop from hell? > > PHP does a pretty good job from protecting against this. That's what I thought too, and I've never had this sort of issues before even on development systems where wasteful and dangerous coding is a rule rather than an exception. > Installing mod_php4 from ports will also turn on the --enable-memory-limit > switch, which causes PHP to terminate if more than x MB RAM are taken (this > shouldn't segfault Apache). In case I was misinterpreted: it's only a child or a number of children which segfault, not the parent process. Grepping the massive logfile some more, shows that it's not always a segfault either. Last night, one child also died with an 'abort trap' and two days ago there was a 'bus error'. Curiouser and curiouser... > The "classic loop from hell" should also be undoable, since PHP has a 60 > second execution time limit. I set it slightly higher for some scripts (none of which run at the times Apache goes nuts). I've stresstested those like a madman though, and they just won't damage anything. > You might want to run your httpd process in gdb to see what's going on when > stuff segfaults. If this is indeed a problem with PHP, I'm sure the > developers would like to hear about it ASAP! I'll look into that, thanks. Problem is that it's a production server and debugging symbols and debuggers might be a bit of a hard sell. I'll see what I can do though. First there's finding out if it's really PHP causing problems and not something like the phase of the moon or the relative proximities of Mars and Venus to the Earth... Thanks! - Philip -- Philip Paeps Please don't CC me, I am subscribed to the list. History repeats itself. that's one of the things wrong with history.